Privacy Policy

This Privacy Notice explains how Plutobee, Inc. ("Plutobee", "we", "us", "our") collects, uses, discloses, retains and protects personal information when you visit our websites, use our products and services, or otherwise interact with us. It applies globally and is supplemented by the regional notices in Section 15.

1. Scope and acceptance

This Notice applies to all personal information processed by Plutobee when you (a) visit plutobee.com or any Plutobee subdomain or affiliated property, (b) use the products and services we own or operate (including JaxSuite, File.business, TroyFunds, FLfiling, the Plutobee Hive, and any other software-as-a-service offering), or (c) communicate with us in any other capacity (collectively, the "Services"). By accessing the Services you acknowledge the practices described in this Notice. If you are a client engaging Plutobee under a Master Services Agreement or similar contract, the relevant agreement (including any Data Processing Addendum) governs and supersedes this Notice with respect to client-controlled data.

2. Who is the controller

Unless stated otherwise, Plutobee, Inc., a Delaware corporation with headquarters in Miami, Florida, United States, is the controller (or "business" under California law) of personal information described in this Notice. For Services provided to a client under a service agreement, Plutobee acts as a processor (or "service provider") on the client's behalf, and the client is the controller of personal information they make available to us. Our authorised representative in the European Union is identified in Section 15.A.

3. Definitions

Terms used in this Notice have the meanings ascribed below.

• Personal information: any information that relates to an identified or identifiable natural person, equivalent to "personal data" under the GDPR and "personal information" under the CCPA/CPRA.
• Sensitive personal information: special categories of data under Article 9 GDPR (e.g., health, biometric, racial or ethnic origin) and sensitive personal information under the CPRA (e.g., government identifiers, precise geolocation).
• Processing: any operation performed on personal information.
• Processor / sub-processor: an entity that processes personal information on behalf of a controller.
• Data subject: the natural person to whom the personal information relates.

4. Personal information we collect

4.1 Information you provide

• Identity and contact data: name, business email, phone, postal address, job title, employer.
• Account credentials: username, hashed password, multi-factor authentication tokens, recovery information.
• Engagement data: details you submit in a project brief, statement of work, careers application, NDA request, or support ticket.
• Payment and billing information: for clients on paid Services, billing contact, tax identifiers, and limited payment-method details (we do not store card numbers; tokenized payment is handled by Stripe, see Section 7.A).
• Communications: contents of emails, chat messages, call recordings (where notified and consented), feedback and survey responses.

4.2 Information collected automatically

• Device and connection data: IP address, device type, operating system, browser, language, time zone, referrer, screen resolution.
• Usage data: pages viewed, features used, links clicked, search terms, timestamps, error reports, performance metrics.
• Cookies and similar technologies: see our Cookie Policy for categories, vendors, retention periods and controls.

4.3 Information from third parties

• Authentication providers (e.g., Google, Microsoft, Apple, Anthropic) when you sign in via single sign-on.
• Public sources: company directories, professional networks (e.g., LinkedIn) used during business-to-business outreach with appropriate legal basis.
• Service providers who provide us with marketing, analytics, fraud-prevention or compliance services.
• Client-supplied data: where you are a user of a client's instance of our Services, the client may provide your information to us as their processor.

4.4 Sensitive personal information

We do not knowingly collect sensitive personal information except where it is voluntarily provided as part of an employment application (where applicable laws permit), or where you choose to share it in support correspondence. We do not sell or share sensitive personal information.

5. How and why we use personal information

We use personal information for the following purposes. Cross-references to Section 6 indicate the legal basis under the GDPR.

• Provide and maintain the Services: account creation, authentication, support, billing, fraud prevention. [6(b), 6(f)]
• Communicate with you: respond to inquiries, send service notices, schedule discovery calls, send proposals. [6(b), 6(f)]
• Improve the Services: analytics, A/B testing, debugging, capacity planning. [6(f)]
• Personalise content: remember your preferences and surface relevant content. [6(f), or 6(a) where required]
• Marketing (with consent where required): send newsletters, event invitations, product updates. You can unsubscribe at any time. [6(a), 6(f)]
• Legal compliance: tax, accounting, anti-money-laundering, sanctions screening, responding to lawful requests. [6(c)]
• Protect rights, property and safety: detect, prevent and investigate fraud, security incidents, abuse of the Services. [6(f)]
• Recruiting: evaluate job applications, conduct interviews, verify credentials. [6(b), 6(f)]
• AI training, evaluation and quality control: where you interact with AI-powered features, we may use inputs and outputs to evaluate model performance and detect abuse, subject to the safeguards in Section 12.

6. Legal bases for processing (EEA/UK)

Where the GDPR or UK GDPR applies, our legal bases are:

• Contract (Art. 6(1)(b)): to perform a contract with you or to take steps at your request before entering a contract.
• Legal obligation (Art. 6(1)(c)): to comply with applicable law.
• Legitimate interests (Art. 6(1)(f)): to operate, secure, improve and market the Services, where not overridden by your interests or rights. A balancing test is available on request.
• Consent (Art. 6(1)(a)): for non-essential cookies, certain marketing communications, and other activities for which we ask you to opt in.

7. Sharing and disclosure

We disclose personal information to the following categories of recipients, under contracts that include confidentiality and data-protection obligations.

7.A Service providers (processors)

Cloud hosting (AWS, Cloudflare); communications (Google Workspace, Slack, Twilio); payments (Stripe); analytics (Plausible, Google Analytics where consented); customer support (HubSpot, Intercom); error monitoring (Sentry, Datadog); productivity (Notion, Linear); recruiting (Greenhouse-equivalent ATS); AI providers (Anthropic, OpenAI where Customer opts in).

7.B Affiliates

Plutobee group companies in jurisdictions where we operate, under intra-group data-transfer agreements.

7.C Professional advisers

Lawyers, auditors, accountants, insurers, bankers under professional duties of confidentiality.

7.D Authorities and legal requests

Where required by law, court order, or government request, with appropriate notice to you where lawfully possible.

7.E Business transfers

In connection with a merger, acquisition, financing, reorganisation, bankruptcy or sale of assets, in which case data protection terms equivalent to this Notice will apply to the successor.

7.F Aggregated or de-identified data

We may share aggregated or de-identified information that cannot reasonably be used to identify you with partners, investors and the public for benchmarking, research and marketing.

7.G We do not sell personal information

We do not sell personal information for money. We may "share" certain online identifiers for cross-context behavioural advertising as defined under the CPRA only with your prior opt-in consent and you may withdraw consent at any time via the cookie preference centre.

8. International data transfers

Plutobee operates globally. Personal information may be transferred to and processed in jurisdictions outside your country of residence, including the United States, the European Economic Area, the United Kingdom, Turkey and Estonia. We rely on the following mechanisms:

• Standard Contractual Clauses (Commission Decision 2021/914 with the UK International Data Transfer Addendum where applicable).
• Adequacy decisions where available.
• Derogations under Article 49 GDPR where strictly necessary (e.g., performance of a contract requested by you).

A list of our sub-processors and the transfer mechanisms applicable to each is available on request from privacy@plutobee.com.

9. Retention

We retain personal information only for as long as necessary for the purposes for which it was collected, subject to applicable legal, accounting or reporting requirements. Indicative retention periods:

• Account records: for the duration of the account plus thirty-six (36) months.
• Billing and tax records: seven (7) years (US) / ten (10) years (EU) as required by applicable tax law.
• Support tickets: thirty-six (36) months after closure.
• Marketing consents: until withdrawn, then logged for thirty-six (36) months for audit purposes.
• Recruitment data: twelve (12) months after the conclusion of the recruiting process, unless you consent to a longer period.
• Security logs: thirteen (13) months unless a longer period is required for an ongoing investigation.
• Cookies: see Cookie Policy.

10. Your rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access to the personal information we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure ("right to be forgotten") subject to legal exceptions.
• Restriction of processing in defined circumstances.
• Objection to processing based on legitimate interests or direct marketing.
• Portability: receive your data in a structured, commonly used and machine-readable format.
• Withdraw consent at any time, without affecting prior lawful processing.
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
• Lodge a complaint with your supervisory authority.

To exercise any right, email privacy@plutobee.com. We respond within thirty (30) days (extendable by sixty (60) days for complex requests, with notice). We will verify your identity before fulfilling a request and may decline requests that are manifestly unfounded, repetitive or contrary to law.

11. Children

Our Services are not directed to children under sixteen (16) years of age and we do not knowingly collect their personal information. If you believe we have collected information from a child, please contact privacy@plutobee.com and we will delete it promptly.

12. Automated decision-making and AI

We do not use automated processing that produces legal or similarly significant effects with respect to you without a lawful basis and appropriate safeguards. Where AI-powered features process your inputs:

• We disclose the use of AI in the relevant Service interface.
• We provide meaningful information about the logic involved and the consequences.
• We do not use Customer-controlled data to train foundation models unless Customer expressly authorises it under a separate addendum.
• We implement evaluations, red-teaming and output filtering proportionate to risk.
• You can request human review of significant AI-assisted decisions where applicable law requires.

13. Security

We implement administrative, technical and physical safeguards designed to protect personal information, including: encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access controls with least-privilege defaults; multi-factor authentication for production systems; vulnerability management; secure software development practices; incident response procedures; staff training. We undergo annual independent assessments and maintain SOC 2 Type II and ISO/IEC 27001 attestations as applicable. No system is impenetrable; we cannot guarantee absolute security.

14. Third-party links

Our Services may contain links to third-party websites and services that we do not operate or control. We are not responsible for their privacy practices. We encourage you to review their privacy notices.

15. Regional disclosures

15.A European Economic Area, United Kingdom and Switzerland

If you are located in the EEA, the UK or Switzerland, the GDPR and UK GDPR apply. Our EU representative under Article 27 GDPR can be contacted via privacy@plutobee.com using the subject line "EU Representative". You may lodge a complaint with the supervisory authority in your habitual residence, place of work or place of the alleged infringement (in Estonia: the Data Protection Inspectorate; in Germany: the Federal or State Data Protection Authority; in the UK: the Information Commissioner's Office).

15.B California (CCPA / CPRA)

If you are a California resident, you have the right to know, delete, correct, limit use of sensitive information, opt out of sale or sharing, and to non-discrimination for exercising your rights. We have not sold personal information for monetary consideration in the preceding twelve (12) months. To submit a verifiable consumer request, email privacy@plutobee.com with subject "CCPA Request" or use the Cookie preferences link in the footer for opt-outs. Authorised agents may submit requests on your behalf with verifiable documentation. We will not discriminate against you for exercising your rights.

15.C Other US states

Residents of Colorado, Connecticut, Utah, Virginia, Texas, Oregon and other states with comprehensive privacy laws may exercise rights substantially equivalent to those described in Section 10, including the right to appeal a refusal. Contact privacy@plutobee.com.

15.D Brazil (LGPD)

If you are located in Brazil, the LGPD applies. You may exercise the rights set out in Article 18 LGPD via privacy@plutobee.com. Our Encarregado / Data Protection Officer is reachable at the same address.

15.E Turkey (KVKK)

If you are located in Turkey, Law No. 6698 on the Protection of Personal Data ("KVKK") applies in addition to this Notice. Plutobee's Istanbul office may be contacted as data controller; you may exercise rights under Article 11 KVKK by writing to the same address.

16. Changes

We may update this Notice from time to time. Material changes will be posted with a new "Effective" date at the top and, where appropriate, additional notice (e.g., email or in-product banner). Your continued use of the Services after the effective date constitutes acceptance of the updated Notice.

17. How to contact us

Plutobee, Inc.
Attn: Privacy & Data Protection
Miami, Florida, United States
Email: privacy@plutobee.com

For our EU Representative, see Section 15.A. For DPA requests from clients, see our Data Processing Addendum.